CN109190375B - Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method - Google Patents
Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method Download PDFInfo
- Publication number
- CN109190375B CN109190375B CN201810872642.9A CN201810872642A CN109190375B CN 109190375 B CN109190375 B CN 109190375B CN 201810872642 A CN201810872642 A CN 201810872642A CN 109190375 B CN109190375 B CN 109190375B
- Authority
- CN
- China
- Prior art keywords
- equipment
- infected
- data
- malicious program
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims abstract description 27
- 208000015181 infectious disease Diseases 0.000 claims abstract description 18
- 230000003203 everyday effect Effects 0.000 claims description 8
- 230000002354 daily effect Effects 0.000 claims description 4
- 238000011534 incubation Methods 0.000 claims description 4
- 238000009792 diffusion process Methods 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 2
- 231100000331 toxic Toxicity 0.000 claims 2
- 230000002588 toxic effect Effects 0.000 claims 2
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000007480 spreading Effects 0.000 abstract description 2
- 241000700605 Viruses Species 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 208000033999 Device damage Diseases 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000012417 linear regression Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to an equation set for analyzing a malicious program propagation rule, which is shown in a formula I, and also relates to a malicious software diffusion prediction method based on a differential equation model, and the method comprises the following steps of data statistics: counting the number and information of the malicious programs and the types of the malicious programs in the selected area to obtain statistical data; analyzing data, calculating statistical data to obtain an initial value, a latency period, an infection rate and a controlled rate; and (3) solving data, namely substituting the initial value, the latency, the infection rate and the controlled rate into an equation set, and solving by using a Runge-Kutta method to obtain the predicted number of infected equipment. The invention adopts big data technology and combines ordinary differential equation model to analyze and predict the equipment infected by the malicious program, so as to know the spreading trend of the malicious program and make the related strategy.
Description
Technical Field
The invention relates to the technical field of big data security, in particular to an equation set for analyzing the propagation rule of a malicious program and a malicious program diffusion prediction method based on a differential equation model.
Background
The popularity of the current network is higher and higher, the scale of various government internal office networks is larger and larger, for example, a public security private network forms national networking, and the pressure for managing each terminal in the network is huge. Meanwhile, various malicious program attack events occur frequently, the technical means of malicious program attack are continuously changed and updated, and the problem of network security prevention is more and more prominent. Therefore, it is important to detect and predict malicious programs, and at present, there is no method for predicting malicious programs.
Disclosure of Invention
The invention aims to solve the problems and provides an equation set for analyzing the propagation rule of a malicious program and a malicious program diffusion prediction method based on a differential equation model, which can realize the analysis and prediction of equipment infected by the malicious program.
In order to achieve the purpose, the invention adopts the following technical scheme:
on one hand, the embodiment of the invention discloses an equation set for analyzing the propagation law of a malicious program
i denotes the free contaminated equipment, P denotes the diagnosed equipment, T denotes the incubation period, λ denotes the number of equipments infected by each contaminated equipment per day, i.e. the infection rate, and j denotes the probability of the free contaminated equipment being diagnosed per day, i.e. the controlled rate.
Further, the lambda is measured in the daily infection rate
On the basis of which the value of lambda is determined by means of a linear fit, wherein,
the value of j is j-m/N, wherein,
n is the number of devices carrying malicious programs that need to be confirmed,
m is the number of devices that can be identified per day.
On the other hand, the embodiment of the invention also discloses a malicious software diffusion prediction method based on a differential equation model, which comprises the following steps:
and (3) data statistics: and counting the number and information of the malicious programs and the types of the malicious programs in the selected area to obtain statistical data.
And analyzing data, calculating statistical data, setting the average value of the infected equipment counted in a current period of time as an initial value, calculating back by taking the current time point as a reference, comparing the counted number of the infected equipment per day with the initial value, judging that the time point is an initial latency time point when the number of the infected equipment is less than the initial value, taking the time period between the initial latency time point and the current time point as a latency (taking days as a unit), and finally calculating lambda (infection rate) and j (controlled rate) according to the formula.
And (3) solving data, namely substituting the initial value, the latency, the infection rate and the controlled rate into an equation set, and solving by using a Runge-Kutta method to obtain the predicted number of infected equipment.
And further, solving a result according to the data, and alarming when a predicted result exceeds a threshold value.
Further, the threshold is set to be three times as large as the initial value.
The invention has the beneficial effects that:
the invention adopts big data technology and combines ordinary differential equation model to analyze and predict the equipment infected by the malicious program, so as to know the spreading trend of the malicious program and make the related strategy.
Drawings
FIG. 1 is a diagram of a current linear regression fit line according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a four-chamber model according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a fitting curve according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention discloses an equation set for analyzing the propagation law of a malicious program,
i denotes the free contaminated equipment, P denotes the diagnosed equipment, T denotes the incubation period, j denotes the probability that the free contaminated equipment is diagnosed every day, and λ denotes the number of devices infected by each contaminated equipment every day.
Wherein the lambda is in a daily infection rate sample
On the basis of which the value of lambda is determined by means of a linear fit, wherein,
the value of j is j-m/N, wherein,
n is the number of devices carrying malicious programs that need to be confirmed,
m is the number of devices that can be identified per day.
The embodiment of the invention also discloses a malicious software diffusion prediction method based on the differential equation model, which comprises the following steps:
and (3) data statistics: counting the number and information of the malicious programs and the types of the malicious programs in the selected area to obtain statistical data;
and analyzing data, calculating statistical data, setting the average value of the infected equipment counted in a current period of time as an initial value, calculating back by taking the current time point as a reference, comparing the counted number of the infected equipment per day with the initial value, judging that the time point is an initial latent time point when the number of the infected equipment is less than the initial value, and calculating lambda (infection rate) and j (controlled rate) according to the formula, wherein the time period between the initial latent time point and the current time point is a latent period (in days).
And (3) data solving, namely substituting the initial value, the latency, the infection rate and the control rate into the equation set, and solving by using a Runge-Kutta method to obtain the predicted number of the infected equipment.
And solving the result according to the data, and alarming when the predicted result exceeds a threshold value. The threshold is set to be three times as large as the initial value.
Example 1Preliminary establishment of the method, as shown in FIG. 4.
A four-compartment model is used as shown in fig. 2, in which,
health equipment-with S representing health equipment
Free contaminated equipment (infected) -with I the number of contaminated equipment not diagnosed as infectious
Confirmed equipment (isolated) -P represents isolated and quit infected system, and other equipment can not be infected
Repairing or damaging devices (including "repaired devices" and "damaged devices") -the number of which is denoted by R, are no longer involved in the spread of the malicious program. Description of the drawings: device damage, typically caused by malicious program corruption, is rare, so the impact of device damage is not considered in this approach.
The construction process of the differential equation:
1. let the infection rate be λ1Means the proportion of infected to healthy equipment in equipment that is in daily contact (communication) with freely contaminated equipment, so
2. A free-form virus-carrying device is a device that is infected with a virus, is latent or has begun to spread, but is not isolated. Its origin is the infection of healthy equipment, and the diagnosis, isolation of freely contaminated equipment will reduce the population. Different malicious programs have different latencies and infected devices do not necessarily come into attack right away, so this part of the device is the most dangerous. Let T be the incubation period, i.e. the infected device will be diagnosed at least after T days, and let j be the probability that the free infected device will be diagnosed every day, so there are
Description of the drawings: considering that the number of contaminated devices is generally a small amount with respect to the total number of devices, if substituting S would annihilate some characteristics of the equation due to an excessively large number of devices, resulting in a ill-conditioned equation, S is incorporated into λ1The coefficient is recorded as lambda, S is considered to be constant, lambda is the number of devices infected by each infected device every day, so that
3. The number of the infected equipment which is diagnosed is
4. A system of ordinary differential equations is set forth,
example 2The coefficients are confirmed as in fig. 4.
The first is big data statistics: the analysis and prediction are carried out according to the business requirements, so that the device data (in days) infected by the malicious program in a period of time (generally, the period of time closest to the current time) is obtained.
And then, related parameters are sequentially acquired according to the actual situation.
1) The initial value function i (T) ═ Φ (T), T ∈ [ -T,0 ]. This is the starting function of the differential equation with delay, and can be obtained by performing statistics and fitting according to the data in the actual environment. The method is characterized in that the average value of the infected equipment counted according to big data is set as the value of an initial function, namely an initial value.
2) T value, i.e. latency. In an actual network environment, the period of time from when a device carrying a malicious program receives a malicious program file until the device is detected to have some malicious behavior can be considered as the latency of the malicious program on the device. And determining the latency T value of the malicious program according to the specific situation in the actual environment. The method comprises the steps of calculating back based on the current time point, comparing the number of infected equipment counted each day with an initial value, and when the number of infected equipment is smaller than the initial value, judging that the time point is an initial latency time point, wherein the time period between the initial latency time point and the current time point is a latency period (also taking days as a unit).
3) The lambda value, namely the infection rate, reflects the security awareness of business personnel and the capability of an information system for resisting security threats, and the method comprises the following steps: the ratio of the number of newly-added infected devices to the total number of infected devices per day can be approximately regarded as a sampling of the infection rate per day, i.e.
According to the statistical rule, the infection rate is measured in every day
On the basis of (2), a linear fitting manner is adopted to determine the value of lambda. As shown in FIG. 1, the abscissa is the time number, the ordinate is the reciprocal of the sample of the infection rate per day, and the oblique line is the linear regression fit line.
4) The value of j, i.e., the controlled rate, 1/j can be considered as the number of days that the malicious program propagator can effectively act before being diagnosed and isolated, and this term is related to the degree of control. The higher the false alarm rate of the malicious program detection technology, the more hidden the malicious program and the more detection technologies needed, the smaller the j value, and the harder the propagator of the malicious program is to control. Here, assuming that the number of devices carrying a certain malicious program that need to be confirmed is N, and the number of devices that can be confirmed every day is m, then
j=m/N
Example 3The method is solved, as in fig. 4.
And repeatedly adjusting the parameters lambda, j, T and phi (T) to enable the parameters to accord with the statistical characteristics of actual data and enable the theoretical value and the actual value to reach the most consistent degree.
And substituting the parameter values into a differential equation system. Since the analytical solution of the equation set cannot be solved, the equation set is solved by means of a Runge-Kutta method in numerical analysis.
The solving process of the Longge Kuta method comprises the following steps:
let the initial problem be expressed as follows
y′=f(t,y),y(t0)=y0
Wherein y ═ f (t, y) corresponds to
The following RK4 equation is thus obtained:
wherein
k1=f(tn,yn)
k4=f(tn+h,yn+hk3)
Thus, the next value (y)n+1) From the present value (y)n) Plus the product of the time interval (h) and an estimated slope. This slope is a weighted average of the following slopes:
·k1is the slope at the beginning of the time period;
·k2is the slope of the midpoint of the time segment, and the slope k is adopted by the Euler method1To determine y at point tnA value of + h/2;
·k3is also the slope of the midpoint, but this time with slope k2Determining the value of y;
·k4is the slope of the end of the time period, the y value of which is k3And (6) determining.
The specific calculation is as follows:
setting λ 0.4, j 0.32, T5, and Φ (T) 2000, the partial data set obtained is {2090,2000,1834,1723,1678,1589,1500, ┄ }
The predicted values obtained by the longge-kutta method are:
yn+1=2098
finally, the approximate form of the drawn fitting curve is shown in fig. 3, the curve reflects that the growth rate is high after the malicious program is fully spread, and the infection situation is controlled at the later stage when the malicious program gradually reaches saturation along with the increase of the infected equipment.
In summary, the differential equation disclosed in the embodiment of the present invention can be used for performing data analysis on malicious program alarm data by using a big data technology, and effectively capturing relevant abnormal behaviors in time and performing alarm early warning display at an early stage of virus diffusion, thereby being beneficial to quickly positioning virus diffusion behaviors and performing reverse tracing processing.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; it is intended that the following claims be interpreted as including all such alterations, modifications, and equivalents as fall within the true spirit and scope of the invention.
Claims (4)
1. A malware diffusion prediction method based on a differential equation model is characterized by comprising the following steps:
and (3) data statistics: counting the number and information of the malicious programs and the types of the malicious programs aiming at the selected area to obtain statistical data;
data analysis, namely calculating the statistical data, setting the average value of the infected equipment counted in a current period of time as an initial value, calculating back by taking the current time point as a reference, comparing the number of the infected equipment counted every day with the initial value, judging that the time point is an initial latency time point when the number of the infected equipment is less than the initial value, and calculating lambda and j according to a formula, wherein the time period between the initial latency time point and the current time point is a latency period;
solving data, namely substituting the initial values, the latency, the lambda and the j into a simplified equation set for analyzing the propagation rule of the malicious program, and solving by using a Runge-Kutta method to obtain the predicted number of infected equipment;
wherein, the simplified equation system for analyzing the propagation rule of the malicious program is
Wherein, I represents free toxic equipment, P represents diagnosed equipment, T is a latency period, lambda is the quantity of equipment infected by each infected equipment every day, and j is the probability of being diagnosed by the free toxic equipment every day;
wherein the formula comprises:
the lambda is in a daily infection rate sample
On the basis of which the value of lambda is determined by means of a linear fit, wherein,
the value of j is j-m/N, wherein,
n is the number of devices carrying malicious programs that need to be confirmed,
m is the number of devices that can be identified per day.
2. The method of claim 1, wherein the results are solved from the data and an alarm is raised when the predicted results exceed a threshold.
3. The method of claim 2, wherein the threshold is set to three times the initial value.
4. The method of claim 1, wherein the incubation period is in units of days.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810872642.9A CN109190375B (en) | 2018-08-02 | 2018-08-02 | Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810872642.9A CN109190375B (en) | 2018-08-02 | 2018-08-02 | Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109190375A CN109190375A (en) | 2019-01-11 |
| CN109190375B true CN109190375B (en) | 2021-03-19 |
Family
ID=64919923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810872642.9A Active CN109190375B (en) | 2018-08-02 | 2018-08-02 | Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109190375B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008589B (en) * | 2019-04-03 | 2023-02-24 | 上海北信源信息技术有限公司 | Equipment infection prediction method and system |
| CN111414615B (en) * | 2020-03-27 | 2023-01-20 | 河南经贸职业学院 | Safety monitoring system based on computer network |
| GB2593780B8 (en) * | 2020-04-03 | 2022-09-28 | British Telecomm | Malware protection based on final infection size |
| CN112148818B (en) * | 2020-05-11 | 2022-09-16 | 每日互动股份有限公司 | Terminal data processing system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102300208A (en) * | 2011-06-21 | 2011-12-28 | 常州艾可泰自动化设备有限公司 | Optimized protection strategy against dissemination of malicious software of wireless sensor network |
| GB2512847A (en) * | 2013-04-09 | 2014-10-15 | Ibm | IT infrastructure prediction based on epidemiologic algorithm |
| CN103873484B (en) * | 2014-04-01 | 2017-02-01 | 福建师范大学 | malicious worm propagation model based on mobile network and control method thereof |
| CN108092832A (en) * | 2018-02-12 | 2018-05-29 | 山东师范大学 | A kind of social networks Virus Info suppressing method and system |
-
2018
- 2018-08-02 CN CN201810872642.9A patent/CN109190375B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109190375A (en) | 2019-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109190375B (en) | Equation set for analyzing malicious program propagation rules and malicious program diffusion prediction method | |
| CN101741633B (en) | Association analysis method and system for massive logs | |
| CN110460622B (en) | Network anomaly detection method based on situation awareness prediction method | |
| CN106411921A (en) | Multi-step attack prediction method based on cause-and-effect Byesian network | |
| CN109257393A (en) | XSS attack defence method and device based on machine learning | |
| CN115935415A (en) | Data safety early warning system based on industrial internet multi-factor perception | |
| CN109951466B (en) | Port flow monitoring method and device, electronic equipment and machine-readable storage medium | |
| Zhou et al. | Research of network traffic anomaly detection model based on multilevel autoregression | |
| CN116232767B (en) | DDoS defense method, device, computer equipment and storage medium | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN113691498A (en) | Electric power internet of things terminal safety state evaluation method and device and storage medium | |
| CN115001853B (en) | Abnormal data identification method and device, storage medium and computer equipment | |
| KR102384542B1 (en) | Method, Device and program for analyzing the overall risk through detailed analysis of the risk distribution | |
| CN116760649B (en) | Data security protection and early warning method based on big data | |
| CN113009817A (en) | Industrial control system intrusion detection method based on controller output state safety entropy | |
| CN109246157B (en) | Correlation detection method for HTTP slow request DOS attack | |
| CN103220299B (en) | The recognition methods of a kind of high in the clouds " cooperating type " malice detecting and alarm | |
| CN117061216A (en) | Automatic blocking method, device, equipment and storage medium for network attack | |
| CN106453226A (en) | Method for detection of address entropy | |
| CN116736781A (en) | Safety state monitoring method and device for industrial automation control equipment | |
| CN114884735A (en) | Multisource data intelligent evaluation system based on security situation | |
| JP6857627B2 (en) | White list management system | |
| RU91203U1 (en) | SYSTEM FOR DETECTING AND CONSTRUCTING A FORECAST OF THE DEVELOPMENT OF THE EPIDEMIC COMPUTER VIRUSES | |
| CN107040554B (en) | Method for defending CC attack | |
| CN118555146B (en) | Network security protection method of wireless router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 301, floor 3, building 103, No. 3, minzhuang Road, Haidian District, Beijing Patentee after: Mixin (Beijing) Digital Technology Co.,Ltd. Address before: 100093 301, 3rd floor, building 103, 3 minzhuang Road, Haidian District, Beijing Patentee before: BEIJING BEIXINYUAN INFORMATION SECURITY TECHNOLOGY CO.,LTD. |